This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup. Register for class.

This topic describes how to troubleshoot InternalNewToolData alerts that may appear in the LEM console. These alerts are also called unmatched data or internal new connector data alerts.

Typically unmatched data and internal new connector data alerts indicate that one or more of the connectors on the LEM VM or appliance cannot properly normalize the associated log data. This alert may occur if LEM receives new log syntax that the connector is unable to interpret.

To troubleshoot these alerts:

Ensure that your syslog devices are sending logs to a syslog facility on your LEM appliance.

Determine which devices are logging to each facility, and whether those devices conflict with each another.

Ensure that your LEM Agent connectors, such as Windows-based and database connectors are running correctly.

Apply the latest connector update package.

Generate a syslog sample from the LEM appliance, and then open a ticket with SolarWinds Technical Support for further assistance.

Step 1: Troubleshoot syslog devices

Complete the following troubleshooting procedures for devices that send logs to a syslog facility on your LEM appliance.

Verify the connector and device are pointed at the same local facility.

Check the configuration on your device to determine what local facility it is logging to on your LEM appliance. In some cases, you cannot modify this setting.

For additional information, search for your device in the Connectors section of the SolarWinds Success Center. Except for CheckPoint firewall, the LEM receives UDP syslog data on port 514.

Verify that the connector is pointed to the same logging facility as the device.

Use the search box at the top of the Refine Results pane or select Configured.

Select the configured connector and view its details. Verify the Log File value matches the output value in the device configuration.

If the device and connector configurations do not match, point the connector to the appropriate location.

Click and select Stop.

Click and select Edit.

Change the Log File value so it matches your device.

Click Save.

Click and select Start.

Click the video icon to view a presentation about how to troubleshoot syslog nodes in LEM.

Step 2: Troubleshoot device logging

Certain devices (including Cisco devices) have similar logging formats that cause connector conflicts when logging to the same facility on your LEM appliance. Use the following procedure and table to determine what devices are logging to each facility, and whether those devices conflict with one another.

The EPOCH timestamp (1427722392000) starts each event, which is the date and time in Unix numeric format. The device sending the event (such as 192.168.2.251) follows. You will typically see ProviderSID (ASA-1-106021), which is similar to an Event ID.

Troubleshoot conflicting devices

Different firewall types should log to different facilities. For example, Cisco firewalls and Palo Alto should log to different facilities. However, both devices should log to their own facilities. Ensure that the devices in each of these groups are logging to distinct local facilities on your LEM VM. For example, if a device in Group 1 is logging to local1, make sure a device in Group 2 is not also logging to that facility.

SolarWinds recommends splitting the devices and vendors to different facilities. Having all devices pointed at one facility with multiple connectors reading that facility will impact your LEM performance.

Group

Devices

Group 1

Cisco ASA

Cisco IOS

Cisco PIX

Group 2

Cisco Catalyst (CatOS)

Group 3

Cisco Wireless LAN Controller (WLC)

Group 4

Cisco Nexus

Group 5

Cisco VPN

Group 6

Dell PowerConnect

Step 3: Troubleshoot Agent devices and connectors

Complete the following procedure to troubleshoot LEM Agent connectors, such as Windows-based and database connectors.

Verify the connector is pointing to the appropriate folder or event log.

Check the configuration on the host computer to determine which folder or event log it is logging in to.

In some cases, you cannot modify this setting. For additional information, search the SolarWinds Success Center for your device.

Verify that the connector is pointed to the same folder or event log as the device:

Select the configured connector and view its details. Ensure the Log File value matches the output value in the host computer configuration.

If the host computer and connector configurations do not match, point the connector to the appropriate location:

Click and select Stop.

Click and select Edit.

Change the Log File value so it matches the host computer.

Click Save.

Click and select Start.

Step 4: Apply the latest connector update package

If you completed the procedures in this section and you still see the unmatched data or internal new connector data alerts, apply the latest connector package before you contact Technical Support. See Apply a LEM connector update package to learn how.

Step 5: Contact SolarWinds Technical Support

If you are unable to resolve your issue using this article, open a ticket with SolarWinds Technical Support for further assistance. Be prepared to provide the following information to a support technician:

A copy of the LEM report (in Crystal Reports format) entitled Tool Maintenance by Alias for the last 24 hours or the period during that the unmatched data was detected.